A Windows Scheduled Task runs as [email protected] on a 2008R2 server. The server's local disk has some files that Joe Blow should not see. Joe Blow knows the serviceAccount password. As far as I know, serviceAccount has no server privileges beyond Log on as a batch job, and local Users group membership via Domain Users. Could Joe read those files?
If so, I should probably create another service account to run the task. But I'd prefer to avoid that clutter, if 'Log on as a batch job' does not expose the files.
The question title may be misleading; I'm asking if I've done due diligence restricting unauthorized access in this particular case. I'm not asking for help reading files... although I am asking if and how files might be read.
I was relieved to get Access Denied attempting to use Enter-PSsession as serviceAccount to create a remote session. But I haven't tested much further.
The server is a VMware virtual machine, but I'm asking here about guest-level as opposed to hypervisor-level security.
edit I tried scheduling a Task on a second server, where serviceAccount is in the local Administrators group. (That membership was not my decision, and i'm aware it's bad practice.) The Task runs test.cmd with contents:
dir \\firstServer\c$\ > C:\temp\out.txt 2>&1
Ran the task as serviceAccount and "Task Scheduler successfully finished" with out.txt contents, 'Access is denied.' - good. As a kind of control test, ran the task as otherAdmin with rights to both servers, and out.txt contained the directory listing from firstServer.
So maybe I should have asked: should I create a new service account for which Joe Blow does not have the password? Or is that unnecessary?
More about this convoluted scenario here.